1b5dbc8d5f8315dcd2c22f94b49d5ac0ecc388785eb2fccfcbe58253dd5c696a

Analysis

max time kernel
86s
max time network
132s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
19-09-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea645c27a1c7f7d550dec9432f115232_JaffaCakes118.apk
Size

7.2MB
MD5

ea645c27a1c7f7d550dec9432f115232
SHA1

427718902016a3c9df577dab87817d6e13cd3050
SHA256

1b5dbc8d5f8315dcd2c22f94b49d5ac0ecc388785eb2fccfcbe58253dd5c696a
SHA512

d5595803ea14d247170009462c7bd6a634649c6261d50501b962c2a52e36a96f3a6008f320a36c4299700e47403006399855e7f39120f7abf0ddec893c26d767
SSDEEP

196608:E3w4tg1TNIr+7q+uPfQr0PRnYpeLGqHc24j43NiZ0IE7R8:EAIg1d76P9SeUj4XIGq

Score

7^/10

collection discovery evasion persistence

Malware Config

Signatures

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.honeywell.hch.airtouch:remote

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.honeywell.hch.airtouch:remote

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
18	alog.umeng.com

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.honeywell.hch.airtouch
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.honeywell.hch.airtouch:remote

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.honeywell.hch.airtouch

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.honeywell.hch.airtouch:remote
Framework service call	android.app.IActivityManager.registerReceiver	com.honeywell.hch.airtouch

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.honeywell.hch.airtouch

com.honeywell.hch.airtouch
1⤵
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:4925

com.honeywell.hch.airtouch:remote
1⤵
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4984

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.honeywell.hch.airtouch/databases/airTouch.db

Filesize
36KB

MD5
2e4d00ae44bd863fbcf72b2807601be6

SHA1
ce07aed45b221b121ec454b8851883310cd80c87

SHA256
d3c92ee59a292dd53af53022ebf772423442f92671f322d3192850dd99b14cc4

SHA512
78e7a14b2ce9b02e06db343722e06e7c63161d1c22a1499186d49134df65ac01fdd9fbb12d81df51b6d96a3d2695bcdc233203c0450d04ca66623d6fbf92d3cd

Download Submit
/data/data/com.honeywell.hch.airtouch/databases/airTouch.db-journal

Filesize
512B

MD5
6db78d83cfb19ae6872f0d3b033beefa

SHA1
8b6a144c594c344071f599fc986e71e4d84e2cb5

SHA256
05f5bfde78c1c2b05fd4445835ea0af26b513554e331ac12bbf4d27001d80498

SHA512
bc7f4d06a1fe920ce7e1093a54fe452aede7d5f1702779628c5e6cd561ccec8c71e3a1f12b3c04b39e9c3c774ccf075de8bc07d6c7dd98eaff3dd3273fb5ca0b

Download Submit
/data/data/com.honeywell.hch.airtouch/databases/airTouch.db-journal

Filesize
8KB

MD5
6a4bcf3d3c207be63b452ebdb65707f9

SHA1
5d83bbb99d52857ba6a2065d938f516b20e9e1e6

SHA256
ecd5dfc04e9a11f1359cafa68e2ddb64bbf7ce9ed6f100b36591750ed119cc1e

SHA512
0d100f2b9a2cd168207afa69cdb8fdf2cb71f095cffff0a60a2a665bc4940d31f739d15d46a3dfaa912a445176944d1b16fd5e093a39a3d579eba43a282556ff

Download Submit
/data/data/com.honeywell.hch.airtouch/databases/airTouch.db-journal

Filesize
28KB

MD5
2cd47ada17ad7a4e3d5e2717cb2762c6

SHA1
7cb844672cec4a3bce75c8cf81e80e8ad7cc49e5

SHA256
5f266f7cf5a44a3cfcc9bfbba94735081851edc224cb071fa6e650227e214279

SHA512
c25229cca649bc8ef54c0770a976034801c0a300d181c107c41879d7f6b7056c6282210c98661428078381032dc6fb0872112dde7e8efb1a9f9b333877f18dae

Download Submit
/data/data/com.honeywell.hch.airtouch/databases/airTouch.db-journal

Filesize
16KB

MD5
398ed0689ee1bbba61ebee8df58816a5

SHA1
93a24b5dacd8d7341643ed1379a44365271e953e

SHA256
17b11bd07d8133af5628064518979ca24d38ad338f0672667677db0f21e09c69

SHA512
5a4e0b62cd6d174d15d3fda9c87bdd42c906775563aaf201d5ab223e2e325ff1d2dca0c8ad72256eef3e0456ca109308257e11f050d8f4e571f321caeb903eef

Download Submit
/data/data/com.honeywell.hch.airtouch/files/lldt/firll.dat

Filesize
56B

MD5
e549594f2ed0480ba2f6f2072c8182b7

SHA1
fc3d76fc3f101ccc458e9be906f2e2cab6c43529

SHA256
296d7f4cd93950cdd03939778850faa56efe12c9a0f0148d09f457d9f6d95e02

SHA512
71367a7eccb7d644c2889bd26423b8bb43f819c96bfdd273d782a3fa6d492eb32990f9e8a19a66f89d9770d7eb37f0906b228e8e0aeee5d768be4ef01832a4d0

Download Submit
/data/data/com.honeywell.hch.airtouch/files/lldt/offinfo.dat

Filesize
44B

MD5
4ddbc5dd33fb4974390075e721bc74e8

SHA1
b068b63288988cc2b25c5d5c07a92494bb6bde7e

SHA256
71a190fb80c3462235f2570b3cb3b3bfe71029bf27d3ef018b4b61bcd8a049dd

SHA512
8d273ade647b790d90b1d623f09e6630afe7504d72ced709c8551753475aaec4b6a5f0774e3387ea7ab010aef084bc9aaa046272bd39d0a848baa7f9e8f82649

Download Submit
/storage/emulated/0/baidu/tempdata/conlts.dat

Filesize
12B

MD5
8d80bc8ea90e9cac010d3ddf97bda5f5

SHA1
f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07

SHA256
f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93

SHA512
9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

Download Submit
/storage/emulated/0/baidu/tempdata/conlts.dat

Filesize
163B

MD5
adaa2a79c181fc7556b40771654f14bc

SHA1
25f5a7416d398e5c46c7fe1cd1ad9b82f5657f95

SHA256
5d2e19321fca4c90c74048c3a85472a754d0d2463a915305936602bddb453e00

SHA512
442eb70d4dea833455e68a47bd7d4eeacb7f1e01f59c4fbb20545129a8d09b8bb5cb42dde5c311473838439a43db30077660b665beb21d0c4eb95699b29ca2f9

Download Submit
/storage/emulated/0/baidu/tempdata/lcvif.dat

Filesize
96B

MD5
2ebdf0d9469b63fe0529d398db123f94

SHA1
9595a21af17b643916687aff2042a7f2651148ff

SHA256
04a9e08b614d638ba52e6d3e00a82f1e90149f7a28fcc9414a080d64a4672e2a

SHA512
62dbe0682cccec58a822acffe4e95d9053e73fedb165f4bc7567888cf46f62b9443085f61dd4fa5c2794a5368d15bcc393e3020e1d4f2f941a3c7cd4e3c78452

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-journal

Filesize
8KB

MD5
351778b00910a3c5aa3ff2985de2836b

SHA1
5e50c5cfdb7b10ab2d5eae6a22c186e2c413a539

SHA256
3fcaf7879518610b59ea2dbfd4b1b661a8c3ab898fa4260159a601f2ccb4859b

SHA512
4c2c62ba55bad7cafdf48d472ade3f348a0b67288fc21eb64d6e1f73a7d2fb0db1fe5511b846d383c13aa07f0ed0988b30f0c10737ca6d1e4582acf5667682c8

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-journal

Filesize
8KB

MD5
607464fb9357d9c98c6e1f17a4284010

SHA1
710d39f549bf938ed0aa40c3717aad85395ad82a

SHA256
60216e0ed0030aa38e4fccb5204ed2c30f9cc6f46cd2b0acffed3a30507f258c

SHA512
764752f0ba2ee97ed5d8cf4d4547087a386f59ea778ab38bd8f87549253e4e93de1324703ae4628ae630fbc4d62e905c963d2c3952ac6633addcee0c9101fa50

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-journal

Filesize
4KB

MD5
8594f2c63f2fb66a6c6651b763d67cc7

SHA1
51909cfa721c7e2dc043e38409525ff83b67b28b

SHA256
1b1661d86860abfa86c80db33f3f1490a00afbe6865fbc16e28035e93a7d71b6

SHA512
a27ccc06a5ff74a4dc1df005600afc3032e09839f5daae30516069399c151add6fc048efc1b4af038183596a1e4ddd998f9ca9f1e376919145c3f860a14fe007

Download Submit
/storage/emulated/0/baidu/tempdata/yoh.dat

Filesize
24B

MD5
a936690571e9104e1922dda4a0ba5bd1

SHA1
65f49c57edde2f96be2a1dbdfc3f7351f1e66554

SHA256
f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412

SHA512
3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

Download Submit
/storage/emulated/0/baidu/tempdata/yoh.dat

Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads